ROM Hack Modify GW downgrade pack?

Jhyrachy

Well-Known Member
OP
Member
Joined
Jul 25, 2011
Messages
262
Trophies
1
XP
1,013
Country
Italy
Hi,
I was looking to modify the GATEWAY.DG to allow the downgrade to a firmware lower then 4.5 (EU version).

You can wonder why, but the answer is that in 4.5 a lot of ds mode flashcard were blocked, like acekard 2i and EZ Flash Vi

Downgrading to a lower firmware will allow us to use our old flashcard to run the ds exploit without the need of a Gateway!

To download the needed firmware we can use this tool: https://gbatemp.net/threads/release...ds-fw-contents-create-installable-cia.375993/

And to decrupt the dg we can use this:https://gist.github.com/archshift/4cb754c432ba7854212a

But then i do not know how to proceed :/
 

Falo

Well-Known Member
Member
Joined
Jul 22, 2012
Messages
680
Trophies
2
XP
2,628
Country
Germany
Some stuff to think about:
- the exploit gets currently reversed by several people and after this is finished a "homebrew" launcher.dat is possible
- this homebrew launcher.dat can do whatever we want, right on 9.2 without any downgrade or gateway cart
- downgrading below 4.1 will bring you nothing, since the memory addresses will change and then you can't execute launcher.dat, you would have to make a new launcher.dat to work with your older firmware

and to answer your question:
Inside of gateway.dg is a list of tmds + decrypted contents from cdn, repacking any decrypted and properly signed cia into a new gateway.dg is possible, so installing cia's without downgrade or flashcard should be possible using this method.

note:
- downloaded cia's from cdn are still encrypted and cannot be used without decrypting them first!
- custom made cia's are not properly signed and cannot be used!
- the tmd's inside are identical with cdn downloads, they are not modified to change titleversion or remove encryption flag
 
  • Like
Reactions: MarkDarkness

Jhyrachy

Well-Known Member
OP
Member
Joined
Jul 25, 2011
Messages
262
Trophies
1
XP
1,013
Country
Italy
I'm unlucky about this:
US 3ds get back to 4.2 where acekard was enabled, EU 3ds are downgraded to 4.5, where i was blocked
 

Classicgamer

Well-Known Member
Member
Joined
Aug 20, 2012
Messages
646
Trophies
1
XP
1,038
Country
United States
I'm unlucky about this:
US 3ds get back to 4.2 where acekard was enabled, EU 3ds are downgraded to 4.5, where i was blocked

Well keep in mind it still doesn't work after gw dg to 4.2 usa. I'm thinking the dg doesn't restore every file to 4.2. Thankfully cearp supplied his flashcardtimewarp cia which does then allow ak2i to work again.
 

Falo

Well-Known Member
Member
Joined
Jul 22, 2012
Messages
680
Trophies
2
XP
2,628
Country
Germany
oh yeah, nobody has edited the new launcher yet. If it's even possible.
Well i did and other too, actually it's easier then decrypting the 2.X launcher.dat...

The new Launcher.dat is a combination of the old 4.X exploit and the new browser exploit,
the old exploit is from 0x0 to 0x8FFF.

first the browser payload stage1 decrypt code:
Code:
int *buffer = 0x08F01000;
int key = 0;
for (i = 0; i < 0x1000; i++)
{
    key += 0xD5828281;
    buffer[i] += key;
}

the buffer is stage 2 and is always 0x4000 byte, loading address = 0x08F01000;

fw 2.0: buffer is at offset 0xA000 in launcher.dat
fw 2.1-3.X: buffer is at offset 0xE000 in launcher.dat
fw 4.0-4.X: buffer is at offset 0x12000 in launcher.dat
fw 5.0-7.0: buffer is at offset 0x16000 in launcher.dat
fw 7.1-9.4: buffer is at offset 0x1A000 in launcher.dat
fw unknown: buffer is at offset 0x1E000 in launcher.dat

stage 2 is the obfuscated rop code, basically it loads an arm payload through ninjhax(gpuhax)
well at this point, it should be easy to get code execution... ^^

google "Reversing Gateway Ultra First Stage (Part 1)" if you want to know more

Falo
do you think that it's possible to install this: http://gbatemp.net/threads/release-use-blocked-ds-flashcards-on-3ds-probably-n3ds-too.376719/ usoing the gateway.dg way?
I don't think it's possible, they modify the tmd titleversion and the cxi is still encrypted.
But it should be possible with an unmodified tmd and decrypted cdn content.
 

mb2010

Well-Known Member
Newcomer
Joined
Jan 12, 2015
Messages
63
Trophies
0
Age
34
XP
156
Country
If only i could downgrade my EU 3ds XL to less than 4.5. My flash card was blocked on 4.5 but works on my 4.4 regular 3ds, really frustrating just want to play on the bigger screen.
 

Falo

Well-Known Member
Member
Joined
Jul 22, 2012
Messages
680
Trophies
2
XP
2,628
Country
Germany
Ok after analyzing this fileformat a bit more, i found out that it's tricky to use this as CIA installer, because this "downgrader" does not downgrade or install anything...

Inside of these dg's are 3 folders,

CTR -> 3DS Titles + Ticket.db
TWL -> DSi Titles
FIRM -> Firmware Folder (firm.bin)

How are they doing the downgrade ?
They just overwrite every 3ds & dsi system title with files inside of these folders and then they write a pre-made ticket.db and firm.bin to your nand.
This will delete all of your installed eShop downloads...

But this also means, it's not possible to use this as cia installer, since you need some way to generate a ticket.db and thats currently not possible, without devmenu.

Well anyway, here a simple 010 Editor Script to read it (after decrypting):

Code:
//--------------------------------------
//--- 010 Editor v5.0.2 Binary Template
//
// File:
// Author:
// Revision:
// Purpose:
//--------------------------------------
struct{
    char magic[4]; //GW3 + regionbyte
    //GW3E = EUR, GW3C = CHN, GW3T = TWN, GW3K = KOR, GW3J = JPN, GW3U = USA
    int headersize;
    ubyte checksum[headersize-8]; //unknown for now
 
    struct CTR ctr;  //3DS Container
    struct TWL twl;  //DSi Container
    struct FIRM firm; //Firmware Container
}Header;
 
struct CTR{
    char magic[4]; //CTR & 0x00
    int numCatalog;
    int szTicketDB;
    int szFirm; //reserved in ctr
 
    struct{
        struct CATA cata[numCatalog]<optimize=false>;
    }CatalogFiles;
 
    ubyte NandTicketDB[szTicketDB];
};
 
struct TWL{
    char magic[4]; //TWL & 0x00
    int numCatalog;
    int szTicketDB; //reserved in twl
    int szFirm; //reserved in twl
 
    struct{
        struct CATA cata[numCatalog]<optimize=false>;
    }CatalogFiles;
};
 
struct FIRM{
    char magic[4]; //FIRM
    int numCatalog; //reserved in firm
    int szTicketDB; //reserved in firm
    int szFirm;
 
    ubyte firm[szFirm];
};
 
struct CATA{
    char magic[4]; //CATA
    uint TitleIdHigh;
    int64 numTitles;
 
    //debug
    Printf("Folder: %08X, count: %d\n",TitleIdHigh, numTitles);
    struct TITL title[numTitles]<optimize=false>;
};
 
struct TITL{
    char magic[4]; //TITL
    int TitleIdLow;
    int unk3; //always 0?
    int tmd_size;
    int unk4; //junk data?
    int unk5; //junk data?
    int content0_size;
    int unk6; //junk data or content1_size
    int unk7; //junk data?
    int unk8; //junk data?
    int unk9; //always 0?
    int unk10; //always 0?
 
    struct TMD tmd;
    ubyte padding[0x3C]; //unknown...
 
    local int i;
    for(i=0;i<tmd.numContents;i++)
    {
        struct{
            byte data[tmd.contents[i].size];
        }Content;
    }
};
 
struct TMD{ //not the full struct
    BigEndian();
    ubyte data1[0x18C];
    uint64 TitleId;
    ubyte data2[0x48];
    ushort titleVersion;
    ushort numContents;
    ubyte data3[0x924];
    struct CONTENT contents[numContents]<optimize=false>;
    LittleEndian();
    //debug
    Printf("%016LX v%u\n",TitleId,titleVersion);
};
 
struct CONTENT{
    uint id;
    ushort index;
    ushort flags;
    int64 size;
    ubyte hash[0x20]; //sha256
};
 

ChrisX930

Banned!
Banned
Joined
Sep 3, 2013
Messages
788
Trophies
0
Location
Germany
XP
458
Country
Gambia, The
But first, we need to know how to modify/replace the cxi-files AND we need to know how to encrypt the dg-file after that.
Thank you btw for the bath file
 

berichan

ACNHMobileSpawner dev
Member
Joined
Dec 9, 2014
Messages
224
Trophies
0
XP
625
Country
Antarctica

Codename

GREEN BRO IS BEST BRO
Member
Joined
Feb 21, 2012
Messages
365
Trophies
0
XP
243
Country
Canada
To repack and re-encrypt the downgrade files, couldn't someone attempt to make a script that reverses the actions of the decrypting and extracting scripts? Maybe it's not that easy, but it would be awesome if we could get something working. I would love to cheat my way around the downgrade and just downgrade the system titles (DS Profile stuff) necessary to get many flashcards working on 9.x.
 
  • Like
Reactions: berichan

berichan

ACNHMobileSpawner dev
Member
Joined
Dec 9, 2014
Messages
224
Trophies
0
XP
625
Country
Antarctica
To repack and re-encrypt the downgrade files, couldn't someone attempt to make a script that reverses the actions of the decrypting and extracting scripts? Maybe it's not that easy, but it would be awesome if we could get something working. I would love to cheat my way around the downgrade and just downgrade the system titles (DS Profile stuff) necessary to get many flashcards working on 9.x.


You can recrypt the dg file by using the dg decryptor on the edited dg again because it's just a bunch of xors. I managed to edit a few things last night that I'm sure won't brick my system, but I'm not sure how to go about creating a ticket.db(title?) just yet.

Who's this archshif anyways?

Someone on irc #3dsdev
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: Brb